CVE-2025-54006

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Stored XSS.This issue affects Bold Page Builder: from n/a through <= 5.4.1.

AnalysisAI

Stored cross-site scripting (XSS) in Bold Page Builder WordPress plugin through version 5.4.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during page generation, enabling attackers with page creation or editing capabilities to embed persistent XSS payloads. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04th percentile) reflects limited real-world attack probability despite the vulnerability's presence in a widely-installed page builder plugin.

Technical ContextAI

Bold Page Builder is a WordPress page builder plugin that processes user-supplied input when generating web pages. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when the plugin fails to properly sanitize or escape user input before rendering it in HTML output. Stored XSS vulnerabilities differ from reflected XSS in that the malicious payload is persisted in the application's data store (in this case, WordPress post/page metadata or content), meaning any user who views an affected page becomes exposed to the injected script. The attack surface is limited to users with permissions to create or edit pages within the Bold Page Builder interface, making this a post-authentication vulnerability despite its ability to impact unauthenticated site visitors who view the compromised content.

Affected ProductsAI

Bold Page Builder WordPress plugin versions from the earliest release through 5.4.1 are affected. The plugin is distributed via the official WordPress plugin repository (CPE scope: wordpress/plugin/bold-page-builder). Users running any version numbered 5.4.1 or earlier are vulnerable. Vendor advisory and vulnerability details are available at the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/bold-page-builder/vulnerability/wordpress-bold-page-builder-plugin-5-4-1-cross-site-scripting-xss-vulnerability).

RemediationAI

Update Bold Page Builder to the patched version released after 5.4.1 as soon as it becomes available. The plugin maintainers should be contacted directly or checked via the WordPress plugin dashboard for the latest available update. In the interim, restrict page editing and page builder access to trusted administrators only, and audit existing pages created with the plugin for suspicious scripts or content. WordPress administrators can limit plugin capabilities through role-based access controls, removing the 'edit_pages' capability from contributor and editor roles if operationally feasible. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bold-page-builder/) for patch release notifications and update immediately upon availability.

Share

CVE-2025-54006 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy